Analyze a windows service

Inspired by the CQURE 5 day challenge I’ve decided to document some of the things that I’ve learned from the daily assesments. 🙂

Table of Content

When we want to understand the permissions of windows services or specially have to deal with a service that we can’t manage as a local Windows Administrator we get in touch with a strange term called «SDDL».  It stands for Security Descriptor Definition language and is a form of text strings that contains security informations for one or more object.

Let’s play with a prepared service that we can start, but not stop as a local windows Administrator. To install the service simply use the parameter /install.

First let’s see if we can stop this service when we start another cmd with localsystem permission.  I do this with help of PsExec, one of the sysinternals process utilities.

PsExec.exe -s -i -d cmd.exe

whoami

And now let’s see if we can stop our particalar service. Seems that we still have no luck 🙁

What we can do next is to check the SDDL of the service. We can do this by typing:

sc sdshow stopme

sc sdshow stopme >stopme.txt

A possible SDDL String can look like this:

"CQUREHACKS",4 (A;;RPWPDTRC;;;S-1-5-21-xxx-xxx-xxx-xxx-xxx)

(D;; --> Stands for Deny

(A;; --> Stands for Allow

(A;;RPWP;;;SID) --> Allow Start/Stop Service / specific SID

;;;AU --> Authenticated Users
;;;BA --> BuiltinAdmins
;;;SY --> System

With the command sc sdset we can overrite permissions, but if I have a closer look now on the SSDL of that service I took notice that BA and SY have allready permission to stop that service!

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

Let’s do a sc sdquery to check how that service is configured

sc query stopme

(NOT_STOPPABLE,  NOT_PAUSABLE, ACCEPTS_SHUTDOWN)

Seems that I was on the wrong path and this Service is not stopable because of  a permission thing, it’s by design!

Set start mode of service to disabled

sc config stopme start= disabled

Let’s check which task is involved by this service

sc qc stopme

Let’s kill that particular task

taskkill /f /IM "stopmeifyoucan.exe"

Uninstall the service

Stopmeifyoucan.exe /uninstall

What did we learn so far?

With help of the psexec.exe command line utility it’s possible to get a cmd with localsystem privileges. In some cases it’s possible to start/stop a service where the local admin group is not allowed to do. With help of the command sc sdshow «servicename», we get the SDDL of the service. It can be helpful to write the output of the command to a textfile. If the problem is based on a permission issue we can change the SDDL of the service by using the command sc sdset «Servicename» «SDDL Value». To get further informations about how the service is configured we can use the sc query «Servicename» command. To get the binary path of a service we can use the command sc qc «Servicename». Last but not least we can set the startmode of the service to disabled by using the command sc config «servicename» startmode = disabled and trying to kill the involed task by using the command taskkill /f /IM «task.exe»

Some repeating questions of that exercise:

Which command may be used to change permissions of Service?
sc.exe

How can we specify service permissions to be used with sc.exe sdset command?
with sddl

How can you specify an AD Group to include it in SDDL?
with SID

How localsystem is presented in SDDL?
SY

Which Account should be used if you’re local administrator on your workstation and you have no permission to change service parameters
localsystem

 

Further References:

Stopping an unstoppable Windows Service

Kommentar hinterlassen

Schreib einen Kommentar

Ihre E-Mail-Adresse wird nicht veröffentlicht.


*